Heartbleed Bug Breaches Security

One of the largest security vulnerabilities the internet has ever experienced allowed thousands of websites to be susceptible to hackers as a result of a flaw created in the open SSL server over two years ago.

The Heartbleed bug had the potential to affect 66 percent of websites worldwide, Edward Christensen, Vice President of Information Management, said in an email to University students on April 21.

The Heartbleed bug has the ability to send an invalid heartbeat message to a server and retrieve 64k of information stored in the memory, Jan Rohn, a specialist professor in the computer science and software engineering department, said.

The information returned from the 64K that was stored may include the encryption keys for that network which, if retrieved, allows the hackers to read the encrypted information being shared, Rohn explained. The information that is shared through a network often includes a user’s passwords and other personal information which would be accessible.

“What this flaw did was allow the potential for somebody to get the encryption key, which is really another way of saying they get the magic decoder ring and they can read all the messages coming in,” Christen said.

Therefore, all of the information that is being communicated between the user and the server through the website has the possibility of being accessed as a result of the Heartbleed bug.

Christensen explained that if a hacker had access to the server flaw and determined a way to intercept the messages being sent between the user and the website, the hacker would be able to obtain the information being communicated.

Also through this server, the hacker would have the ability to access the information from all people who log into the website using that server, therefore they now have the keys to that website and the ability to retrieve the passwords of all the people that log in to it, Christensen explained.

So far, the Washington Post has confirmed one hacker that used the Heartbleed flaw to obtain information. A 19-year-old Canadian male, Stephen Arthuro Solis-Reyes, was arrested on April 15 and the computer he used to hack into the server was seized. The Washington Post reported that the Canada Revenue Agency found that Solis-Reyes stole 900 social security numbers using Heartbleed.

On a scale from one to 10, the Heartbleed bug has the potential to be a nine or a ten in terms of severity, Robert Carsey, Director of Server Operations for Information Operations, said. “I think that most people in the IT community saw this potential and acted very quickly to plug up the security holes before many hackers had the chance to exploit it.”

The Heartbleed bug was announced to the public on April 7 after the proper patches were created to secure the affected sites from being hacked. The Heartbleed bug was the result of accidental oversight by the Open SSL programmer, Carsey said, after viewing the actual code responsible for the security hole.

“[The programmer] had submitted his work on December 31, 2011. His work was subsequently reviewed and approved by another Open SSL team member,” Carsey explained, which lead him to believe that the server flaw was an accident.

The Open SSL v1.0.1, which contained the Heartbleed bug, was released to the public on March 14, 2012 as an update to the previous Open SSL server. The purpose of the Open SSL software is to send information through a network in a secure fashion, Jan Rohn, a specialist professor in the computer science and software engineering department, explained.

The reason that the Heartbleed bug is such a severe issue is because hundreds of thousands of websites and servers have this flaw, Edward Christensen, Vice President for Information Management, said. “It is a flaw that is in a system that is commonly used all over the place,” he added.

Mashable.com created a list of websites that were affected and listed each of the ones that have been patched to update their servers and therefore no longer have the vulnerability. Websites such as Google, Yahoo, Pinterest, Dropbox, and American Funds are just a few of the many websites that were affected by the Heartbleed bug, according to mashable.com.

Some bank websites that were not affected by the Heartbleed bug include TD Bank, American Express, Bank of America, Well Fargo, and Capitol One, to name a few. Some of the websites that were not affected include Paypal, Ebay, Target, and AOL.

To fix the Heartbleed flaw, technology professionals created patches that will not allow any access to secure transactions between the server and the user. “A patch is a software update that is usually made to fix a problem in software,” Rohn said. “They are very common. For example, Windows updates are patches to the Windows operating system.”

Websites that have completed patches to ensure safety are now urging users to change their passwords to ensure their password is safe. “Yes, users should change their passwords,” said Rohn. “They should do this after the software on the server has been updated with the patch.”

A patch changes 20 lines of code in the Open SSL server to remove the flaw, Carsey explained. Therefore, the process is a reliable source for fixing the problem.

Carsey, who also believes that it is safe to change user’s passwords, recommends users download the ChromeBleed app from the Chrome Web Store. “With this app loaded in Chrome, you’ll be alerted if the site you’re visiting is not patched. There may be similar apps for other browsers,” said Carsey.

The University Technology Department has patched the websites that were at risk of the Heartbleed bug, Christensen explained. “Information Management has identified and patched all known vulnerabilities following vendor and information security best practice,” Christensen said in an email to University students on April 21.

“We didn’t have a lot of systems that were at risk at all,” said Christensen. “Out of 120 we had less than 10 that had any risk and most of those risks were not the users (students or employees).”

Christensen also said a majority of the servers at risk were within his staff in the Information Management Department. “We changed their passwords last week, right away because that is where the bigger risk was,” he said in an interview on April 15.

Christensen said that the process of securing the University servers includes creating patches that close up the Open SSL flaw therefore closing up the opportunity for hackers to intrude, they release a new security certificate and lastly, they ask the University staff and students to create new passwords.

“Even though there is no evidence that any Monmouth servers were compromised as a result of Heartbleed, the University strongly encourages [students and staff] to change [their] Monmouth password as a precaution,” said Christensen in an email on April 21.

Christensen also advises readers to change the password of all accounts that were at risk of Heartbleed and are now patched. If a hacker finds a password for one account, they can try that same password at any other account as well, he added.

“If I knew your email address and I knew your password to your email, I would try it on Ebay, I would try it on Facebook, I would try it at Capitol One, hoping that I would get somewhere,” Christensen said explaining the mentality of a hacker.

Some key things to avoid when changing passwords is using the same password for every account and using very similar passwords, Christensen explained.

A good alternative people can make is to have different passwords for each different type of services or websites, Carsey, who uses four different passwords, one for banking, one for email, one for work, and another for everything else, said.

“The idea is that if my password on Ebay or Amazon is compromised, I don’t want that person to automatically have access to my email, which is usually needed in order to reset passwords on various websites,” said Carsey. “And of course, I wouldn’t want Microsoft or Gmail to know the password for my bank.”

Mary Harris, a specialist professor in communication, reported the Heartbleed news to her students. “When the news about Heartbleed was released to the public, I was frustrated, but not surprised,” said Harris. “I have always been mildly concerned about internet security and cyber threats, but to actually learn about this happening makes me wonder when the next issue might arise.”

Harris said she changed some of her passwords, although is still researching and waiting for website security reports.

Christensen advises students and staff to change their passwords at https://www.monmouth.edu/university/Password.aspx, or by using the telephone password reset line at 732-923-4600 and following the prompts.

To check if a website is compromised by the Heartbleed bug, you can log onto https://filippo.io/Heartbleed/ and type in any website to learn if the website is at risk.